Key Takeaways
- KelpDAO’s bridge suffered a $292–$293 million security breach that eliminated $13.21 billion from decentralized finance’s total value locked within two days
- Attackers extracted 116,500 rsETH tokens and deployed them as illegitimate collateral on Aave to secure loans, generating approximately $195 million in uncollectible debt
- Aave witnessed its TVL collapse from $26.4 billion to $18.6 billion, surrendering its position as DeFi’s leading protocol by deposits
- Complete utilization of Aave’s USDT and USDC reserves means more than $5.1 billion in stablecoins remain inaccessible to users currently
- AAVE, UNI, and LINK tokens experienced relatively minor price declines compared to the enormous capital exodus
A devastating $293 million security breach targeting KelpDAO’s bridge infrastructure during the weekend set off one of decentralized finance’s most significant capital flight events in recent history, erasing $13.21 billion in total value locked across DeFi ecosystems within a mere 48-hour period.
The exploitation commenced on Saturday when threat actors successfully extracted 116,500 rsETH tokens — representing approximately $293 million in value — from KelpDAO’s LayerZero-integrated bridge architecture. Subsequently, these compromised tokens were deployed as collateral on Aave, a prominent DeFi lending protocol, enabling the attackers to secure wrapped Ether loans.
Since the stolen rsETH lacked any genuine asset backing, this borrowing activity saddled Aave with approximately $195 million in irrecoverable debt. The scenario parallels depositing fraudulent currency at a financial institution and successfully securing a legitimate loan against those worthless assets.
Aave’s total value locked plummeted from approximately $26.4 billion to $18.6 billion by Sunday, data from DeFiLlama indicates. This dramatic reduction stripped Aave of its standing as the dominant DeFi protocol measured by deposit volume.
Throughout the entire DeFi ecosystem, TVL contracted from $99.5 billion to $86.3 billion during this identical timeframe. Protocols including Euler, Sentora, and Aave documented double-digit percentage contractions, with damages primarily concentrated within lending protocols and restaking mechanisms.
The AAVE token experienced nearly a 20% depreciation, sliding from $112 on Saturday to approximately $89.50 within 24 hours. This movement resulted partly from substantial withdrawals executed by significant market participants. Blockchain analytics platform Lookonchain flagged MEXC exchange and Abraxas Capital as among the largest exiters, removing $431 million and $392 million respectively.
Complete Utilization Freezes Stablecoin Reserves
Aave’s USDT and USDC pools on version 3 have reached 100% utilization capacity. This situation means over $5.1 billion in stablecoin holdings are presently locked and unavailable for withdrawal until fresh liquidity arrives or outstanding loans receive repayment. Currently, merely $2,540 remains available for withdrawal from the $2.87 billion USDT reserve.
Following the security breach, Aave suspended rsETH markets across both its v3 and v4 implementations. The protocol additionally froze WETH reserves spanning Ethereum, Arbitrum, Base, Mantle, and Linea networks. Aave subsequently verified that rsETH on Ethereum’s mainnet retains full backing through underlying asset reserves.
Numerous additional protocols similarly suspended their LayerZero bridge integration, including Curve Finance, Ethena, and BitGo’s Wrapped Bitcoin offering.
Investigation Findings Emerge
Preliminary examination from Peter Chung, head of research at Presto Research, indicates the vulnerability may have originated within the bridge’s verification infrastructure rather than its smart contract code. He further emphasized that this incident demonstrates how interconnected DeFi protocols can amplify risk far beyond the initial compromise point.
This breach represents the inaugural major examination of Aave’s “Umbrella” security framework, launched in June 2025 to deliver automated safeguards against bad debt scenarios. The incident also follows just two weeks after Aave terminated its partnership with risk management provider Chaos Labs on April 6, stemming from disputes regarding Aave v4’s strategic direction and financial allocation.
